SQL Server db_owner

z9zf31ra  于 2023-03-28  发布在  SQL Server
关注(0)|答案(4)|浏览(165)

in my SQL2008 I have a user which is in the "db_datareader", "db_datawriter" and "db_ddladmin" DB roles, however when he tries to modify a table with SSMS he receives a message saying:

You are not logged in as the database owner or system administrator. You might not be able to save changes to tables that you do not own.

Of course, I would like to avoid such message, but until now I did find the way... Therefore, I try to modify the user by adding him to the "db_owner" role, and of course I do not have the message above.

My question is:

  • Is it possible to keep the user in the "db_owner" role, but deny some actions like alter user or ? I try "alter any user" securable on DB level, but it does not work...

THANKS!

ttisahbt

ttisahbt1#

If the user is part of db_ddladmin it shouldn't be a problem. This is just a warning

ghhkc1vu

ghhkc1vu2#

Members of the db_ddladmin fixed database role can run any Data Definition Language (DDL) command in a database. It is probably just a warning from SSMS, try it out create a user and try to alter some tables

brjng4g3

brjng4g33#

My understanding has always been that any user with db_owner rights can do anything to a database, up to and including dropping it. Certainly, this was true through SQL 2005. I've heard nothing to imply that this has changed with SQL 2008.

soat7uwm

soat7uwm4#

Those are indeed warnings, and I don't see any way to disable that type of warning in SSMS.

In 2008R2 the behavior I'm seeing is users with "db_datareader", "db_datawriter" and "db_ddladmin" still need to be granted view definition to be able to make edits in SSMS by right-clicking and selecting design. If you haven't granted view definition, then the design view will open (with warnings) read-only.

See: MSFT Connect Bug

To me it seems more discoverable to assign view definition permissions to your ddladmin users through a role, rather than doing it for specific user accounts as stated in the workaround on Connect. This will add a db_definitionviewer database role:

USE <DB Name>;
CREATE ROLE db_definitionviewer;
GRANT VIEW DEFINITION TO db_definitionviewer;
EXEC sp_addrolemember 'db_definitionviewer', '<DOMAIN\group> | <DOMAIN\User>';

相关问题